lattice based cryptography chris peikert
play

Lattice-Based Cryptography Chris Peikert University of Michigan - PowerPoint PPT Presentation

Sep 19, 2023 •21 likes •1.03k views

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

  1. Another Hard Problem: Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) , error distribution ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’   � � b t = s t A + e t  · · · A · · · , · · · · · ·  √ n ≤ error ≪ q , ‘rate’ α ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) LWE is Hard ( n/α ) -approx worst case decision-LWE ≤ crypto ≤ search-LWE ≤ lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] 9 / 24

  2. Another Hard Problem: Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) , error distribution ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’   � � b t = s t A + e t  · · · A · · · , · · · · · ·  √ n ≤ error ≪ q , ‘rate’ α ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) LWE is Hard ( n/α ) -approx worst case decision-LWE ≤ crypto ≤ search-LWE ≤ lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Also fully classical reductions, for worse params [Peikert’09,BLPRS’13] 9 / 24

  3. LWE is Versatile What kinds of crypto can we do with LWE? 10 / 24

  4. LWE is Versatile What kinds of crypto can we do with LWE? ✔ Key Exchange, Public Key Encryption ✔ Oblivious Transfer ✔ Actively Secure Encryption (w/o random oracles) ✔ Block Ciphers, PRFs 10 / 24

  5. LWE is Versatile What kinds of crypto can we do with LWE? ✔ Key Exchange, Public Key Encryption ✔ Oblivious Transfer ✔ Actively Secure Encryption (w/o random oracles) ✔ Block Ciphers, PRFs ✔✔ Identity-Based Encryption (w/ RO) ✔✔ Hierarchical ID-Based Encryption (w/o RO) 10 / 24

  6. LWE is Versatile What kinds of crypto can we do with LWE? ✔ Key Exchange, Public Key Encryption ✔ Oblivious Transfer ✔ Actively Secure Encryption (w/o random oracles) ✔ Block Ciphers, PRFs ✔✔ Identity-Based Encryption (w/ RO) ✔✔ Hierarchical ID-Based Encryption (w/o RO) !!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies and much, much more. . . 10 / 24

  7. Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q 11 / 24

  8. Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q 11 / 24

  9. Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q 11 / 24

  10. Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q r t · v ≈ r t As k ≈ u t · s ≈ r t As 11 / 24

  11. Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q r t · v ≈ r t As k ≈ u t · s ≈ r t As ( A , u , v , k ) 11 / 24

  12. Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q r t · v ≈ r t As k ≈ u t · s ≈ r t As ( A , u , v , k ) by decision-LWE 11 / 24

  13. Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q r t · v ≈ r t As k ≈ u t · s ≈ r t As ( A , u , v , k ) by decision-LWE 11 / 24

  14. Efficiency from Rings 12 / 24

  15. SIS/LWE are (Sort Of) Efficient ◮ Getting one pseudorandom scalar b i ∈ Z q requires an n -dim   . . mod- q inner product . � �   · · · a i · · · s  + e i = b i ∈ Z q    . . . 13 / 24

  16. SIS/LWE are (Sort Of) Efficient ◮ Getting one pseudorandom scalar b i ∈ Z q requires an n -dim   . . mod- q inner product . � �   · · · a i · · · s  + e i = b i ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. 13 / 24

  17. SIS/LWE are (Sort Of) Efficient ◮ Getting one pseudorandom scalar b i ∈ Z q requires an n -dim   . . mod- q inner product . � �   · · · a i · · · s  + e i = b i ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. ◮ Cryptosystems have rather large keys:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n 13 / 24

  18. SIS/LWE are (Sort Of) Efficient ◮ Getting one pseudorandom scalar b i ∈ Z q requires an n -dim   . . mod- q inner product . � �   · · · a i · · · s  + e i = b i ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. ◮ Cryptosystems have rather large keys:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n ◮ Inherently ≥ n 2 time to encrypt & decrypt an n -bit message. 13 / 24

  19. Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q 14 / 24

  20. Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? 14 / 24

  21. Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure! 14 / 24

  22. Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure! Answer ◮ ‘ ⋆ ’ = multiplication in a polynomial ring: e.g., Z q [ X ] / ( X n + 1) . Fast and practical with FFT: n log n operations mod q . 14 / 24

  23. Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure! Answer ◮ ‘ ⋆ ’ = multiplication in a polynomial ring: e.g., Z q [ X ] / ( X n + 1) . Fast and practical with FFT: n log n operations mod q . ◮ Same ring structures used in NTRU cryptosystem [HPS’98] , compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ] 14 / 24

  24. LWE Over Rings, Over Simplified ◮ Let R = Z [ X ] / ( X n + 1) for n a power of two, and R q = R/qR 15 / 24

  25. LWE Over Rings, Over Simplified ◮ Let R = Z [ X ] / ( X n + 1) for n a power of two, and R q = R/qR ⋆ Elements of R q are deg < n polynomials with mod- q coefficients ⋆ Operations in R q are very efficient using FFT-like algorithms 15 / 24

  26. LWE Over Rings, Over Simplified ◮ Let R = Z [ X ] / ( X n + 1) for n a power of two, and R q = R/qR ⋆ Elements of R q are deg < n polynomials with mod- q coefficients ⋆ Operations in R q are very efficient using FFT-like algorithms ◮ Search : find secret ring element s ( X ) ∈ R q , given: a 1 ← R q , b 1 = s · a 1 + e 1 ∈ R q a 2 ← R q , b 2 = s · a 2 + e 2 ∈ R q ( e i ∈ R are ‘small’) a 3 ← R q , b 3 = s · a 3 + e 3 ∈ R q . . . 15 / 24

  27. LWE Over Rings, Over Simplified ◮ Let R = Z [ X ] / ( X n + 1) for n a power of two, and R q = R/qR ⋆ Elements of R q are deg < n polynomials with mod- q coefficients ⋆ Operations in R q are very efficient using FFT-like algorithms ◮ Search : find secret ring element s ( X ) ∈ R q , given: a 1 ← R q , b 1 = s · a 1 + e 1 ∈ R q a 2 ← R q , b 2 = s · a 2 + e 2 ∈ R q ( e i ∈ R are ‘small’) a 3 ← R q , b 3 = s · a 3 + e 3 ∈ R q . . . ◮ Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R q (with noticeable advantage) 15 / 24

  28. Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 16 / 24

  29. Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 1 If you can find s given ( a i , b i ) , then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 16 / 24

  30. Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 1 If you can find s given ( a i , b i ) , then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 2 If you can distinguish ( a i , b i ) from ( a i , b i ) , then you can find s . 16 / 24

  31. Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 1 If you can find s given ( a i , b i ) , then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 2 If you can distinguish ( a i , b i ) from ( a i , b i ) , then you can find s . ◮ Then: decision R -LWE ≤ lots of crypto 16 / 24

  32. Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 1 If you can find s given ( a i , b i ) , then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 2 If you can distinguish ( a i , b i ) from ( a i , b i ) , then you can find s . ◮ Then: decision R -LWE ≤ lots of crypto ⋆ If you can break the crypto, then you can distinguish ( a i , b i ) from ( a i , b i ) . . . 16 / 24

  33. Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . 17 / 24

  34. Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into R n . How? 17 / 24

  35. Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into R n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ 17 / 24

  36. Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into R n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ + is coordinate-wise, but analyzing · is cumbersome. 17 / 24

  37. Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into C n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ + is coordinate-wise, but analyzing · is cumbersome. 2 Minkowski: ‘canonical embedding.’ Let ω = exp( πi/n ) ∈ C , so roots of X n + 1 are ω 1 , ω 3 , . . . , ω 2 n − 1 . Embed: ( a ( ω 1 ) , a ( ω 3 ) , . . . , a ( ω 2 n − 1 )) ∈ C n a ( X ) ∈ R �→ 17 / 24

  38. Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into C n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ + is coordinate-wise, but analyzing · is cumbersome. 2 Minkowski: ‘canonical embedding.’ Let ω = exp( πi/n ) ∈ C , so roots of X n + 1 are ω 1 , ω 3 , . . . , ω 2 n − 1 . Embed: ( a ( ω 1 ) , a ( ω 3 ) , . . . , a ( ω 2 n − 1 )) ∈ C n a ( X ) ∈ R �→ Both + and · are coordinate-wise. 17 / 24

  39. Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into R n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ + is coordinate-wise, but analyzing · is cumbersome. 2 Minkowski: ‘canonical embedding.’ Let ω = exp( πi/n ) ∈ C , so roots of X n + 1 are ω 1 , ω 3 , . . . , ω 2 n − 1 . Embed: ( a ( ω 1 ) , a ( ω 3 ) , . . . , a ( ω 2 n − 1 )) ∈ C n a ( X ) ∈ R �→ Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding. 17 / 24

  40. Ideal Lattices ◮ Say R = Z [ X ] / ( X 2 + 1) . Embeddings map X �→ ± i . σ ( X ) = ( i, − i ) σ (1) = (1 , 1)

  41. Ideal Lattices ◮ Say R = Z [ X ] / ( X 2 + 1) . Embeddings map X �→ ± i . ◮ I = � X − 2 , − 3 X + 1 � is an ideal in R . σ ( X ) = ( i, − i ) σ (1) = (1 , 1) σ ( X − 2) σ ( − 3 X + 1) 18 / 24

  42. Ideal Lattices ◮ Say R = Z [ X ] / ( X 2 + 1) . Embeddings map X �→ ± i . ◮ I = � X − 2 , − 3 X + 1 � is an ideal in R . σ ( X ) = ( i, − i ) σ (1) = (1 , 1) σ ( X − 2) σ ( − 3 X + 1) (Approximate) Shortest Vector Problem ◮ Given (an arbitrary basis of) an arbitrary ideal I ⊆ R , find a nearly shortest nonzero a ∈ I . 18 / 24

  43. Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? 19 / 24

  44. Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 19 / 24

  45. Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 2 How hard/easy is poly ( n ) - R -SVP? (In cyclotomics etc.) 19 / 24

  46. Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 2 How hard/easy is poly ( n ) - R -SVP? (In cyclotomics etc.) ⋆ Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n -dim lattices is known. 19 / 24

  47. Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 2 How hard/easy is poly ( n ) - R -SVP? (In cyclotomics etc.) ⋆ Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n -dim lattices is known. ⋆ But 2 O ( √ n log n ) -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16] 19 / 24

  48. Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 2 How hard/easy is poly ( n ) - R -SVP? (In cyclotomics etc.) ⋆ Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n -dim lattices is known. ⋆ But 2 O ( √ n log n ) -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16] ⋆ There is a 2 Ω( √ n/ log n ) barrier for the main technique. Can it be circumvented? 19 / 24

  49. Implementations 20 / 24

  50. Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. 21 / 24

  51. Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. 21 / 24

  52. Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers. 21 / 24

  53. Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers. ◮ Frodo [BCDMNNRS’16] : removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128 -bit quantum security. 21 / 24

  54. Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers. ◮ Frodo [BCDMNNRS’16] : removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128 -bit quantum security. About 10x slower than NewHope, but only ≈ 2x slower than ECDH. 21 / 24

  55. Digital Signatures ◮ Most implementations follow design from [Lyubashevsky’09/’12,. . . ] . 22 / 24

  56. Digital Signatures ◮ Most implementations follow design from [Lyubashevsky’09/’12,. . . ] . ◮ BLISS [DDLL’13] : optimized implementation in this framework. 22 / 24

  57. Digital Signatures ◮ Most implementations follow design from [Lyubashevsky’09/’12,. . . ] . ◮ BLISS [DDLL’13] : optimized implementation in this framework. ◮ Compelling efficiency: System Sig (Kb) PK (Kb) KSign/sec KVer/sec RSA-4096 4 . 0 4 . 0 0 . 1 7 . 5 ECDSA-256 0 . 5 0 . 25 9 . 5 2 . 5 BLISS 5 . 6 7 . 0 8 . 0 33 (Conjectured ≥ 128 bits of security, openssl implementations.) 22 / 24

  58. Other Implementations ◮ HElib [HaleviShoup] : an ‘assembly language’ for fully homomorphic encryption (FHE). 23 / 24

  59. Other Implementations ◮ HElib [HaleviShoup] : an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records 23 / 24

  60. Other Implementations ◮ HElib [HaleviShoup] : an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records ◮ Λ ◦ λ (L O L) [CrockettPeikert’16] : a general-purpose, high-level framework aimed at advanced lattice cryptosystems. 23 / 24

  61. Other Implementations ◮ HElib [HaleviShoup] : an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records ◮ Λ ◦ λ (L O L) [CrockettPeikert’16] : a general-purpose, high-level framework aimed at advanced lattice cryptosystems. Focuses on modularity, safety, and consistency with best theory. 23 / 24

  62. Conclusions ◮ Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’ 24 / 24

  63. Conclusions ◮ Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’ ◮ Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing. 24 / 24

  64. Conclusions ◮ Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’ ◮ Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing. ◮ A big success story for rigorous theory and practical engineering alike! 24 / 24

Recommend

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work with Oded Regev and Noah Stephens-Davidowitz to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N =

1.01k views • 84 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

971 views • 94 slides
Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &amp;

1.2k views • 76 slides
Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 1 / 19 Talk Agenda Encryption schemes with special features: 2 / 19 Talk Agenda

876 views • 71 slides
Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &amp; Applications,

1.27k views • 94 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on

Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on

Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &amp; Applications,

853 views • 82 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

1.08k views • 82 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International Complexity 2007 1 / 12 Lattices and Their Problems Let B = { b 1 , . . . , b n } R n be linearly independent. The n -dim lattice L having basis B is:

902 views • 58 slides
New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13 Zero-Knowledge Proofs [GoldwasserMicaliRackoff85] A protocol allowing an unbounded Prover P to convince a skeptical,

960 views • 68 slides
Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

1.43k views • 74 slides
An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010

An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010

An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010 1 / 10 Lattice-Based Crypto L R n b 2 b 1 2 / 10 Lattice-Based Crypto L R n p 1 p 2 2 / 10 Lattice-Based Crypto L R n b 2 p 1 b 1 =

975 views • 60 slides
How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12 Conclusions 2 / 12 Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error

861 views • 65 slides
A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA &amp; ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography Vadim

814 views • 70 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides

More recommend